Home > General > W32.IRCBot.Gen

W32.IRCBot.Gen

Modifies Hosts file Backdoor:Win32/IRCbot.gen!Z adds the following lines to the Windows Hosts file to block access to the following security websites: avp.com ca.com customer.symantec.com dispatch.mcafee.com download.mcafee.com f-secure.com kaspersky.com kaspersky-labs.com liveupdate.symantec.com liveupdate.symantecliveupdate.com mast.mcafee.com Top Follow:I want to...Get helpRemove difficult malwareAvoid tech support phone scamsSee and search the latest threatsFind answers to other problemsFix my softwareFix updates and solve other problemsSee common error codesDownload and Please go to the Microsoft Recovery Console and restore a clean MBR. Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.

Please go to the Microsoft Recovery Console and restore a clean MBR. The Win32.IRCBot worm provides a backdoor server and allows a remote intruder to gain access and control over the computer via an Internet Relay Chat channel.[1] This allows for confidential information If you require support, please visit the Microsoft Answer Desk.If you suspect that a file has been incorrectly identified as malware, you can submit the file for analysis.Other Microsoft sitesWindowsOfficeSurfaceWindows PhoneMobile In order to lure the user to execute the file, it uses an icon that resembles a Folder Icon.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). It then hides all folders in the removable drives, in an attempt to trick you into clicking on its copy rather than on the folder in your drive. The following Microsoft products detect and remove this threat: Microsoft Security Essentials or, for Windows 8, Windows Defender Microsoft Safety Scanner Top Threat behavior Backdoor:Win32/IRCbot.gen!Y is a bot that connects to an Back to Top View Virus Characteristics Virus Information Virus Removal Tools Threat Activity Top Tracked Viruses Virus Hoaxes Regional Virus Information Global Virus Map Virus Calendar Glossary

Spreads via... An attacker can gain control over the compromised computer and use it to send spam or install further malware. All Users:Use current engine and DAT files for detection and removal. This version of IRC Bot may exploit MS04-011 vulnerability to speard across shares.

Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc. Payload Allows backdoor access and control Backdoor:Win32/IRCbot.gen!AA allows unauthorized access and control of your computer. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Minimum Engine 5600.1067 File Length 167936 Description Added

Installation Backdoor:Win32/IRCbot.gen!Z copies itself to the %windir% or directory with a random file name, and then runs that copy of itself. Indication of Infection Presence of above mentioned files. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX2-314CCA554372} The following registry Values has been added to the system. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX2-314CCA554372}] StubPath = "%SystemDrive%\OGa\RD\GOx.exe" The above mentioned registry ensures that, the Trojan registers with the compromised Upon execution the malware copies into the below mentioned location and connects to the following site sik[removed].net through the port 6969. %SystemDrive%\WINDOWS\dllmgr.exe Also It drops the following files. %SystemDrive%\OGa\RD\DesKTop.ini %SystemDrive%\OGa\RD\GOx.exe This

The following folders has been added to the system. %SystemDrive%\OGa %SystemDrive%\OGa\RD [Note: %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\] ----------------- -----UpdateFebruary http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=654601 Unlike viruses, trojans do not self-replicate. v t e Retrieved from "https://en.wikipedia.org/w/index.php?title=Backdoor.Win32.IRCBot&oldid=732156937" Categories: Computer wormsMalware stubsHidden categories: All stub articles Navigation menu Personal tools Not logged inTalkContributionsCreate accountLog in Namespaces Article Talk Variants Views Read Edit View An attacker can gain control over the compromised computer and use it to send spam or install further malware.

e.g. %WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000) %PROGRAMFILES% = \Program Files The following files were analyzed: Zdvmvl.exe The following files have been added to the system: %TEMP%\Thumbs.js.exe The following It adds the following registry entry so that it automatically runs every time Windows starts: In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSets value: "Microsoft Corp Update"With data: "%AppData%\winsvrn32.exe" It creates the mutex "dr9nsr4gx". Worms are self-replicating malicious files that spread from computer to computer by several means but not restricted to USB Autorun functionalities. “W32/IRCbot.gen.a” is a worm that spreads over removable drives. ActivitiesRisk LevelsAttempts to load and execute remote code in explorer processAttempts to load and execute remote code in a system process.Attempts to write to a memory location of a protected process.Attempts

Most variants of the bot identify themselves as "gBot V2" via the inclusion of a text string in their code. All Users: Please use the following instructions for all supported versions of Windows to remove threats and other potential risks: 1.Disable System Restore . 2.Update to current engine and DAT files The messages will include a link to download the malicious file. Top Follow:I want to...Get helpRemove difficult malwareAvoid tech support phone scamsSee and search the latest threatsFind answers to other problemsFix my softwareFix updates and solve other problemsSee common error codesDownload and

Using this backdoor, an attacker can perform a number of actions on an affected computer, including the following:

  • Download, upload and run files (including plugins for the bot)
  • Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc. -------------------------------------------------- Either manual execution or by exploiting network sevice vulnerabilities The most common installation methods involve system or security exploitation, Top Follow:I want to...Get helpRemove difficult malwareAvoid tech support phone scamsSee and search the latest threatsFind answers to other problemsFix my softwareFix updates and solve other problemsSee common error codesDownload and

    An attacker can gain control over the compromised computer and use it to send spam or install further malware.

    Sign In / Register Hi My Account Log Out United States PRODUCTS Threat Protection Information Protection Cyber Security Services Website Security Products A-Z SERVICES Consulting Services Customer Success Service Cyber Security This could include, but is not limited to, the following actions: Download and execute arbitrary files Upload files Spread to other computers using various methods of propagation Log keystrokes or steal When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically. [autorun] open=OGa\RD\GOx.exe ;ªÓÈÅÌÌüÏÐÅÎüÄÅÆÁÕÌԝ‘ ;Fuck U Motha Fucka I Could have been Some of the additional files it has been observed to drop into the %SYSTEM%\drivers directory are: nwlnkpw.sys nwlnkus.sys nwlnkad.sys nwlnked.sys nwlnkcm.sys nwlnkra.sys nwlnkcr.sys During testing the following registry entries were added:

    This is a network aware worm and has the ability to check whether or not it has internet connectivity. Upon execution the worm tries to connect the following IP address. 116.[Removed].147 92. [Removed].27 Upon execution, the malware will try to spread to all fixed and removable drives as described below A normal session may show the following content in clear text: NICK [USA|XP|MCAFEE-7BEE0E38]eqejlfo USER y0 "" "lol" :y0 NICK new[USA|XP|MCAFEE-7BEE0E38]afpltxv USER y0 "" "lol" :y0 Sinkholed by abuse.ch NICK JOIN PASS Note: refers to a variable location that is determined by the malware by querying the operating system.

    The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32". Back to Top Back To Overview View Removal Instructions All Users:Use current engine and DAT files for detection and removal. An attacker can gain control over the compromised computer and use it to send spam or install further malware. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

    Connections to the following C2C on port 81: java.KUTLUFAMILY.COM java.BALDMANPOWER.NET java.BALDMANPOWER.ORG java.BALDMANPOWER.COM Methods of Infection -----------------Updated 25th Sept 2013-------------------------- This worm may be spread by its intended method of infected removable Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc. Some variants of Backdoor:Win32/IRCbot.gen!Y modify the registry to ensure their copy runs at each Windows start. For example, if the removable drive contains folders named "foo1" and "foo2", then the backdoor copies are named "foo1.exe" and "foo2.exe".

    They are spread manually, often under the premise that the executable is something beneficial. For more information on returning an infected computer to its pre-infected state, please see the following articles: Resetting your computer's security settings to default Stopping and starting Windows services: For Windows 7For They are spread manually, often under the premise that they are beneficial or wanted. It is a member of the Backdoor:Win32/IRCbot family of backdoor trojans.

    Upon execution, it drops a copy of the bot into currently logged on user's %SYSTEM%\drivers directory. It is a member of the Backdoor:Win32/IRCbot family of backdoor trojans. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/IRCbot.gen!AA. Backdoor.Win32.IRCBot From Wikipedia, the free encyclopedia Jump to: navigation, search Backdoor.Win32.IRCBot (also known as W32/Checkout (McAfee), W32.Mubla (Symantec), W32/IRCBot-WB (Sophos), and Backdoor.Win32.IRCBot.aaq (Bydoon Center)[1]) is a backdoor computer worm that is

    In the wild, we have observed the following modifications to the registry: In subkeys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\RunSets value: "Windows Defender"With data: "%system%\windefend.exe" Sets value: "Windows Defense Service"With data: "%system%\windefend.exe" Sets value: Upon execution, the "W32/IRCbot.gen.a"copies itself into the following location %Temp%\trinaest.exe And it drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun Back to Top View Virus Characteristics Virus Characteristics -----------------Updated 25th Sept 2013-------------------------- This detection is for a worm that attempts to copy itself to the root of any accessible